Sunday, December 18, 2011

In this post, i will explain another anti-attaching trick. The trick is that if we manipulate the _PEB_LDR_DATA structure pointed to by PEB.LoaderData, we can cause functions like EnumProcessModules and GetModuleFileNameExA to fail.

Consequently, ollydbg would not be able to see the process in the "Select process to attach" dialog box.

N.B. This trick can't be reliably used unless you carefully choose APIs in your application. Try to avoid APIs which read or write to the _PEB_LDR_DATA structure.

Update:
I have made a tiny plugin for OllyDbg v1.10. The plugin enables debugging those applications, which don't show in the "Select process to attach" dialog box. The plugin first checks the integrity of the target process's _PEB_LDR_DATA structure. If a manipulated structure is detected, a new typical one will be created.

Update:
Variants of this trick manipulate PEB.LoaderData so that an infinite loop occurs in OllyDbg or any other application which tries to use the "EnumProcessModules" function or the likes. See the image below.

Is the PEB_LDR_DATA structure a global structure where all processes have access on it?

I dont understand why Olly cant show me the process name if i click on attach. I mean i call these assembler instructions in a virtual address space.I know only that every process has its on process enviroment block.

Yes, every single process has its own Process Environment Block(PEB). You can't read PEB of another process unless you use the "ReadProcessMemory" function, which reads across processes boundaries provided that you have the required privileges).

The reason why OllyDbg does not show it is because OllyDbg uses the "EnumProcesses", "OpenProcess", "EnumProcessModules", "GetModuleFileNameExA" functions sequence (See screenshot no. 1).EnumProcessModules and GetModuleFileNameExA wrap up calls to the "ReadProcessMemory" function. For more info, read this:http://waleedassar.blogspot.com/2012/03/getmodulefilenameex-and-infinite-loops.html